chattr:设置特殊权限
lsattr:查看特殊权限
chattr [+-=] [ASacdistu] [文件或目录名称]
参数说明:
+-=:分别是"+"(增加)、"-"(减少)、"="(设定)属性
A:当设定了属性A,这个文件(或目录)的存取时间atime(access)将不可被修改,可避免诸如手提电脑容易产生磁盘I/O错误的情况;
S:这个功能有点类似sync,是将数据同步写入磁盘中,可以有效避免数据流失;
a:设定a后,这个文件将只能增加数据而不能删除,只有root才能设定这个属性;
c:设定这个属性后,将会自动将此文件压缩,在读取时自动解压缩。但是在存储的时候,会现进行压缩在存储(对于大文件很有用);
d:当dump(备份)程序执行时,设定d属性将可使该文件(或目录)具有dump功效;
i:这个参数可以让一个文件”不能被删除、更名、设定链接,也无法写入数据,对于系统安全有很大的助益
j:当使用ext3文件系统格式时,设定j属性将使文件在写入时先记录在日志中,但是当filesystem设定参数为data=journalled时,由于已经设定了日志,所以这个属性无效
s:当文件设定了s参数时,它会被完全移出这个硬盘空间
u:与s相反,当使用u配置文件时,数据内容其实还可以存在于磁盘中,可以用来取消删除
lsattr [-aR]
参数说明:
-a :将隐藏文件的属性也显示出来
-R :连同子目录的数据一并显示出来
更改下列文件权限,使任何人没有更改账户权限:
chattr +i /etc/passwd chattr +i /etc/shadow chattr +i /etc/group chattr +i /etc/gshadow
man文档真的很强大,可以看看
[[email protected] ~]# man chattr
CHATTR(1) CHATTR(1)
NAME
chattr - change file attributes on a Linux file system
chattr - 在EXT2文件系统上改变文件属性
SYNOPSIS
chattr [ -RVf ] [ -v version ] [ mode ] files...
DESCRIPTION
chattr changes the file attributes on a Linux file system.
chattr 改变EXT2文件系统上的一个文件的属性
The format of a symbolic mode is +-=[acdeijstuADST].
参数符号格式是 +-=[acdeijstuADST].
The operator ‘+’ causes the selected attributes to be added to the existing attributes of the files; ‘-’ causes them to be removed; and ‘=’ causes them to be the only attributes that the files have.
操作符 ‘+‘ 表示将选中的属性增加到指定的文件上; ‘-‘ 则表示删除该属性;‘=‘ 表示文件仅仅设置指定的属性
The letters ‘acdeijstuADST’ select the new attributes for the files: append only (a), compressed (c), no dump (d), extent format (e), immutable (i), data journalling (j), secure deletion (s), no tail-merging (t), undeletable (u), no atime updates (A), synchronous directory updates (D), synchronous updates (S), and top of directory hierarchy (T).
字母 ‘acdeijstuADST‘ 分别表示下面的属性: 仅追加(a), 压缩 (c), 不备份(d),扩展格式(e), 不可更改的(i), 数据日志 (j), 安全删除 (s), 非尾部合并(t), 不可删除 (u), 不更新atime (A), 同步目录更新 (D),同步更新 (S), 和目录层次结构的顶级? (T).
The following attributes are read-only, and may be listed by lsattr(1) but not modified by chattr: huge file (h), compression error (E), indexed directory (I), compression raw access (X), and compressed dirty file (Z).
接下来的属性都是只读的,可以用lsattr查看,不能用chattr进行修改:大文件(h), 压缩错误(E), 索引目录(I), 压缩的原始访问?(X), 和压缩的零碎文件(Z).
OPTIONS
-R Recursively change attributes of directories and their contents.
-R 递归改变目录和目录的内容.
-V Be verbose with chattr’s output and print the program version.
-V 详细的命令输出和打印程序版本
-f Suppress most error messages.
-f 抑制大多数错误信息
-v version
Set the file’s version/generation number.
-v 设置文件的版本/代号
ATTRIBUTES
When a file with the ’A’ attribute set is accessed, its atime record is not modified. This avoids a certain amount of disk I/O for laptop systems.
当访问一个设置了 ‘A‘ 属性的文件时,atime记录并不修改。这可以在笔记本上避免大量的磁盘I/O操作。
A file with the ‘a’ attribute set can only be open in append mode for writing. Only the superuser or a process possessing the CAP_LINUX_IMMUTABLE capability can set or clear this attribute.
如果文件设置了 ‘a’ 属性,数据只能采用追加模式,仅仅超级用户或者拥有CAP_LINUX_IMMUTABLE能力的进程可以设置和删除该属性。
A file with the ‘c’ attribute set is automatically compressed on the disk by the kernel. A read from this file returns uncompressed data. A write to this file compresses data before storing them on the disk. Note: please make sure to read the bugs and limitations section at the end of this document.
如果文件设置了 ‘c’ 属性, 那么当这个文件在进行写操作时,它将自动被压缩,并且在读的时候, 自动解压.在存储到磁盘时先压缩数据。
When a directory with the ‘D’ attribute set is modified, the changes are written synchronously on the disk; this is equivalent to the ‘dirsync’ mount option applied to a subset of the files.
如果一个目录设置了 ‘D‘属性,任何改变将同步到磁盘;这等价于mount命令中的dirsync选项,同步目录。
A file with the ‘d’ attribute set is not candidate for backup when the dump(8) program is run.
如果一个文件设置了 ‘d’ 属性,dump(8)运行时,不会备份它。
The ’E’ attribute is used by the experimental compression patches to indicate that a compressed file has a com- pression error. It may not be set or reset using chattr(1), although it can be displayed by lsattr(1).
‘E’ 属性目前是一个实验性质的压缩选项,用来标记压缩出现错误的文件。目前它还不能使用chattr来设置或者重置,虽然能使用lsattr命令来显示。
The ’e’ attribute indicates that the file is using extents for mapping the blocks on disk. It may not be removed using chattr(1).
The ’I’ attribute is used by the htree code to indicate that a directory is being indexed using hashed trees. It may not be set or reset using chattr(1), although it can be displayed by lsattr(1).
The ’h’ attribute indicates the file is storing its blocks in units of the filesystem blocksize instead of in units of sectors, and means that the file is (or at one time was) larger than 2TB. It may not be set or reset using chattr(1), although it can be displayed by lsattr(1).
A file with the ‘i’ attribute cannot be modified: it cannot be deleted or renamed, no link can be created to this file and no data can be written to the file. Only the superuser or a process possessing the CAP_LINUX_IMMUTABLE capability can set or clear this attribute.
A file with the ‘j’ attribute has all of its data written to the ext3 journal before being written to the file itself, if the filesystem is mounted with the "data=ordered" or "data=writeback" options. When the filesystem is mounted with the "data=journal" option all file data is already journalled and this attribute has no effect. Only the superuser or a process possessing the CAP_SYS_RESOURCE capability can set or clear this attribute.
When a file with the ‘s’ attribute set is deleted, its blocks are zeroed and written back to the disk. Note: please make sure to read the bugs and limitations section at the end of this document.
When a file with the ‘S’ attribute set is modified, the changes are written synchronously on the disk; this is equivalent to the ‘sync’ mount option applied to a subset of the files.
A directory with the ’T’ attribute will be deemed to be the top of directory hierarchies for the purposes of the Orlov block allocator. This is a hint to the block allocator used by ext3 and ext4 that the subdirectories under this directory are not related, and thus should be spread apart for allocation purposes. For example it is a very good idea to set the ’T’ attribute on the /home directory, so that /home/john and /home/mary are placed into separate block groups. For directories where this attribute is not set, the Orlov block allocator will try to group subdirectories closer together where possible.
A file with the ’t’ attribute will not have a partial block fragment at the end of the file merged with other files (for those filesystems which support tail-merging). This is necessary for applications such as LILO which read the filesystem directly, and which don’t understand tail-merged files. Note: As of this writing, the ext2 or ext3 filesystems do not (yet, except in very experimental patches) support tail-merging.
When a file with the ‘u’ attribute set is deleted, its contents are saved. This allows the user to ask for its undeletion. Note: please make sure to read the bugs and limitations section at the end of this document.
The ’X’ attribute is used by the experimental compression patches to indicate that a raw contents of a compressed file can be accessed directly. It currently may not be set or reset using chattr(1), although it can be dis- played by lsattr(1).
The ’Z’ attribute is used by the experimental compression patches to indicate a compressed file is dirty. It may not be set or reset using chattr(1), although it can be displayed by lsattr(1).AUTHOR
chattr was written by Remy Card <[email protected]>. It is currently being maintained by Theodore Ts’o
<[email protected]>.
BUGS AND LIMITATIONS
The ‘c’, ’s’, and ‘u’ attributes are not honored by the ext2 and ext3 filesystems as implemented in the current
mainline Linux kernels. These attributes may be implemented in future versions of the ext2 and ext3 filesys-
tems.
The ‘j’ option is only useful if the filesystem is mounted as ext3.
The ‘D’ option is only useful on Linux kernel 2.5.19 and later.AVAILABILITY
chattr is part of the e2fsprogs package and is available from http://e2fsprogs.sourceforge.net.
SEE ALSO
lsattr(1)
E2fsprogs version 1.41.12 May 2010 CHATTR(1)
原文地址:http://blog.51cto.com/gotoo/2093959